b'February 12, 2008\n\nALEXANDER E. LAZAROFF\nCHIEF POSTAL INSPECTOR\n\nDEBORAH M. GIANNONI-JACKSON\nVICE PRESIDENT, EMPLOYEE RESOURCE MANAGEMENT\n\nSUBJECT: Management Advisory \xe2\x80\x93 Review of the Postal Service\xe2\x80\x99s Personnel\n         Security Process (Report Number SA-MA-08-001)\n\nThis report presents the results of our self-initiated review of the Postal Service\xe2\x80\x99s\npersonnel security process (Project Number 07YG055SA000). We conducted this\nreview to examine the Postal Service\xe2\x80\x99s personnel security processes and compare them\nwith processes of other federal and selected private sector entities. This is one in a\nseries of reviews we plan to conduct in this area. See Appendix A for additional\ninformation about this review.\n\n                                             Background\nThe Postal Service must maintain public trust and security of the mail as well as assure\nconfidence in the reliability and integrity of its employees. Employees have the right to\nexpect a safe work environment, and the public has a right to expect the Postal Service\nto maintain the privacy of the mail. Federal law makes it clear that protection of mail,\nPostal Service funds, and property is the responsibility of every Postal Service\nemployee.\n\nThe Postal Service must ensure that individuals selected for employment have been\ncarefully screened, evaluated, and determined suitable for Postal Service employment\nso the conduct of these individuals will reflect favorably on the organization.1 The\nPostal Service\xe2\x80\x99s personnel security process encompasses screening for suitability and\ngranting security clearances. All Postal Service employees undergo a suitability\nscreening; in addition, depending on their positions, some employees may need\nsecurity clearances, which require a more extensive background investigation.\n\nA suitability screening determines whether applicants possess the necessary skills,\nabilities, and qualifications to perform various jobs in the Postal Service. The suitability\nscreening process is designed to disqualify ineligible or unsuitable applicants. The\nPostal Service\xe2\x80\x99s Human Resources Selection Evaluation and Recognition Office\n\n1\n Postal Handbook EL-312, Employment & Placement, Section 511.11, Rights to Workplace Safety & Mail Security,\nSeptember 2001. Postal Service Handbook AS-805, Information Security, Chapter 5, Personnel Security, Policy &\nGeneral Requirements, March 2002 (updated with Postal Bulletin revisions through November 23, 2006).\n\x0cReview of the Postal Service\xe2\x80\x99s                                                                          SA-MA-08-001\n Personnel Security Process\n\n\nprovides suitability guidance to area and district human resources (HR) personnel\nthroughout the country. When evaluating and determining an applicant\xe2\x80\x99s suitability, HR\npersonnel conduct, at a minimum, the following checks: age, employment, criminal and\nmilitary service history, a National Agency Check with Inquiries (NACI)2 for career\napplicants, and a Special Agency Check with Inquiries (SACI)3 for noncareer applicants.\nThe Office of Personnel Management (OPM) conducts the NACI and SACI, which\ninclude a Federal Bureau of Investigation (FBI) fingerprint check, for the Postal Service.\n\nThe Chief Postal Inspector or designee is responsible for issuing security clearances. If\nan employee needs a security clearance, the type of clearance granted depends on the\nsensitivity of the position held. A sensitive clearance is considered for employees who\nhave access to sensitive information restricted to the highest levels of the federal\ngovernment, U.S. Postal Service Office of Inspector General (OIG) files, U.S. Postal\nInspection Service (USPIS) files, national security (classified) information, or sensitive\ninformation essential to executive decision making. The sensitive level of clearance\nwithin the Postal Service encompasses both national security4 and public trust5\npositions.\n\nPostal Service employees who require a security clearance undergo a more extensive\nbackground investigation. A background investigation is conducted to help develop\ninformation about the person\xe2\x80\x99s character, reputation, and allegiance to the United States\nto determine eligibility for appointment to, or suitability for retention in, a Postal Service\nposition. OPM guidance for conducting background investigations establishes specific\npersonnel security criteria and procedures for the federal government. Although the\nPostal Service is not subject to Title 5 of the Code of Federal Regulations (CFR),6 it\ngenerally follows OPM guidance when conducting background investigations and also\nutilizes OPM to conduct portions of the investigation. Background investigations and\nthe issuance of proper security clearances are key elements in protecting national\nsecurity, ensuring the integrity of the mail, and protecting Postal Service employees,\ncustomers, and assets.\n\n\n\n\n2\n  The NACI is a background investigation inquiry that includes FBI name check, fingerprint check of the FBI\xe2\x80\x99s criminal\narrest database, Defense Clearance Investigation Index check, OPM Security/Suitability Investigations Index check,\nand a local law enforcement check of an applicant\xe2\x80\x99s residence, employment, and education for the last 5 years.\n3\n  The SACI includes the same checks as the NACI with the exception of a FBI name check, education verification,\nreference checks, and residence checks.\n4\n  National security clearances include Confidential, Secret, Top Secret, and Sensitive Compartmented Information.\n5\n  Administrative Support Manual 13, Section 272, Personnel Security Clearance, July 1999 (updated with Postal\nBulletin revisions through December 2006) states that public trust positions are responsible for managing programs\nor operations that require a high degree of public trust because of their ability to affect the accomplishment of the\nactivity\xe2\x80\x99s mission to a significant degree.\n6\n  Title 5 CFR establishes federal government guidelines, criteria, and procedures for hiring practices. Specifically, 5\nCFR 731 addresses suitability requirements; 5 CFR 732 pertains to national security positions; and 5 CFR 736\npertains to personnel investigations.\n\n\n                                                           2\n\x0cReview of the Postal Service\xe2\x80\x99s                                                                   SA-MA-08-001\n Personnel Security Process\n\n\n                                                 Results\nThe Postal Service\xe2\x80\x99s personnel security processes and procedures for conducting\nbackground checks and granting security clearances were comparable to those used by\nother federal agencies and private sector entities. For example, an applicants\xe2\x80\x99 age,\nprior employment, fingerprints, criminal record, military service, and selective service\nstatus are checked to determine whether an applicant is suitable for employment. See\nAppendices B and C for detailed benchmarking results.\n\nHowever, in our benchmarking, we noted differences in the following two areas:\nbackground checks of contract employees, and policies requiring employees to report\narrests and convictions. The Postal Service could potentially reduce its security risk to\nemployees, customers, the mail, and critical assets if it adopted policies and procedures\nin these areas similar to those used by some of the benchmarked agencies.\n\nBackground Checks of Contract Employees\n\nContractors are defined as individuals who provide services to the Postal Service and\nhave access to occupied Postal Service facilities, information and resources, including\ncomputer systems. These individuals must obtain clearance from the Postal Service\nbefore being provided that access. Postal Service procedures require contractors to\ncertify that contract employees have met suitability and security requirements. In\naddition, for a basic clearance, the Postal Service contracting officer, contracting\nofficer\xe2\x80\x99s representative (COR), or designee verifies the data submitted by contractors,\nwith no involvement from HR.\n\nThe Postal Service issues four levels of clearances for contractors: basic, non-\nsensitive, sensitive, and interim-sensitive. See Table 1 for contractor clearance levels.\n\nTable 1: Levels of Clearances Granted to Postal Service Contract Employees\n\n    Level of Clearance                                      Definition\n                                 Clearance required for individuals who have access to Postal\n            Basic                Service facilities, but do not require a higher level of clearance.\n                                 Clearance required for individuals who have access to Postal\n                                 Service information that, if compromised, would have limited\n        Non-sensitive            impact on the mission of the Postal Service; or who have\n                                 restricted access to Postal Service computer systems such as\n                                 word processing or data entry.\n                                 Clearance required for individuals who have access to\n                                 information that, if compromised, would cause significant\n                                 financial loss, inconvenience, or delay in the performance of\n                                 the mission of the Postal Service; or who have physical access\n          Sensitive\n                                 to restricted areas in Postal Service facilities, such as computer\n                                 rooms and tape libraries; or who have access to computer\n                                 systems such as on-site or remote terminals for systems\n                                 development or accessing sensitive systems or data.\n                                 Preliminary clearance granted for individuals for whom there is\n       Interim-sensitive         a priority need to begin work before completion of a sensitive\n                                 clearance.\n\n\n                                                      3\n\x0cReview of the Postal Service\xe2\x80\x99s                                                                        SA-MA-08-001\n Personnel Security Process\n\n\n\nThe level of clearance issued is determined by the scope and the nature of the work the\nindividual will perform. At the time of the contract award, the Postal Service contracting\nofficer, COR, or designee provides the contractor with the required clearance forms and\nreceives the forms back from the contractor upon completion. The contracting officer,\nCOR, or designee reviews these forms for completeness and adequacy. For a basic\nclearance, if the information provided by the contractor is satisfactory, the contracting\nofficer, COR, or designee authorizes issuance of an identification badge to the contract\nemployee.7 For a higher clearance (non-sensitive, sensitive, or interim-sensitive), the\ncontracting officer, COR, or designee reviews the forms submitted by the contractor and\nforwards them to the Security Investigations Service Center (SISC) for review and\nissuance of a security clearance. Individuals may begin work when they receive\nnotification that the security clearance has been granted.\n\nBenchmarking Results\n\nThe Social Security Administration (SSA), Internal Revenue Service (IRS), and\nTennessee Valley Authority (TVA) do not rely on contractor certifications to ensure that\ncontract employees meet personnel security requirements. These agencies\xe2\x80\x99 HR or\npersonnel security departments, rather than the contracting officers, make suitability\ndeterminations for contract employees.\n\nPotential Gap\n\nPostal Service HR personnel do not certify or verify whether contract employees who\nrequire basic clearances have met Postal Service security requirements. Allowing\ncontractors to certify that their employees meet Postal Service security requirements\nand relying on the contracting officer, COR, or designee to verify the data provided by\nthe contractor could expose Postal Service employees, customers, the mail, and critical\nassets to unnecessary risk. Alternatively, certification or verification by HR or security\npersonnel could help ensure all contract employees meet security requirements and\npotentially reduce the risk.\n\nPolicy Requiring Employees to Report Arrests and Convictions\n\nExcept for a policy covering sex offenders, Postal Service policy does not specifically\nrequire Postal Service employees to inform management if they are arrested or\nconvicted. According to the principles of ethical conduct set forth in the Postal Service\xe2\x80\x99s\nEmployment and Labor Relations Manual, employees must not engage in criminal,\ndishonest, notoriously disgraceful, immoral, or other conduct prejudicial to the Postal\nService. Conviction for a violation of any criminal statute may be grounds for\ndisciplinary action against an employee, including removal of the employee, in addition\nto any other penalty imposed by law. However, Postal Service policy does not\n\n7\n  The contracting officer, COR, or designee may allow individuals who are needed immediately by Postal Service\nmanagement to have limited access to the Postal Service facility for up to 2 weeks, under the supervision of a Postal\nService employee, pending the receipt of the completed certifications for the basic clearance.\n\n\n                                                          4\n\x0cReview of the Postal Service\xe2\x80\x99s                                                                       SA-MA-08-001\n Personnel Security Process\n\n\nspecifically state that employees must report violations of federal and state laws\nresulting in arrests and convictions to management or the OIG.\n\nBenchmarking Results\n\nWe benchmarked with two entities that require all or segments of their employees to\nreport arrests and convictions. TVA, which is an excepted service agency like the\nPostal Service, has adopted a policy that specifically requires regular and contract\nemployees to notify their supervisor if they are arrested or charged with any criminal act.\nSimilarly, employees at one of the private sector entities we benchmarked with have\nunescorted airport access privileges and are subject to the Transportation Security\nAdministration\xe2\x80\x99s (TSA) mandated self-disclosure policy. This policy requires employees\nwith unescorted airport access to report convictions and criminal offenses to\nmanagement within 24 hours.8\n\nPotential Gap\n\nThe Postal Service does not condone employee criminal behavior. By regulation,\nPostal Service employees who are convicted of a violation of a criminal statute can be\nsubject to disciplinary action up to and including dismissal.9 Current Postal Service\npolicy conveys the sense that Postal Service employees are expected to obey the law\nand can be dismissed if they do not. However, the policy does not require Postal\nService employees to report their criminal arrests and convictions to anyone in the\nPostal Service, except for convicted sex offenders. A policy requiring employees to\nreport arrests and convictions could reduce the risk of exposure for Postal Service\nemployees, customers, the mail, and critical assets.\n\nWe did not make any recommendations concerning these two issues in this report,\nhowever we may address them further in future audits of the Postal Service\xe2\x80\x99s personnel\nsecurity processes and procedures. Although the OIG did not make recommendations,\nwe did provide Postal Service management with the opportunity to comment on any\nissues identified in the report. The Vice President, Employee Resource Management,\nprovided comments which are included in their entirety in Appendix D.\n\n\n\n\n8\n  TSA requires employees to report criminal offenses such as importation or manufacture of a controlled substance,\nextortion, bribery, rape, or aggravated sexual abuse and murder. The policy lists approximately 30 offenses that\nshould be reported.\n9\n  Postal Service Employment and Labor Relations Manual (ELM 18), Section 665.16 Behavior and Personal Habits,\nJune 2007 gives the Postal Service standards of conduct.\n\n\n                                                         5\n\x0cReview of the Postal Service\xe2\x80\x99s                                             SA-MA-08-001\n Personnel Security Process\n\n\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Andrea Deadwyler, Director,\nInspection Service and Facilities, or me at (703) 248-2100.\n\n E-Signed by Darrell E. Benjamin, Jr\n VERIFY authenticity with ApproveIt\nDarrell E. Benjamin, Jr.\nDeputy Assistant Inspector General\n for Support Operations\n\nAttachments\n\ncc:     Michele L. Culp\n        Juliana Nedd\n        Mangala P. Gandhi\n        Katherine S. Banks\n\n\n\n\n                                          6\n\x0cReview of the Postal Service\xe2\x80\x99s                                                                          SA-MA-08-001\n Personnel Security Process\n\n\n                       APPENDIX A: ADDITIONAL INFORMATION\n\nObjective, Scope, and Methodology\n\nOur objective was to assess the Postal Service\xe2\x80\x99s personnel security processes and\nprocedures to determine whether they were comparable to other federal agencies and\nselected private sector entities. The scope of our review entailed a review of the Postal\nService\xe2\x80\x99s personnel security processes for regular and contract employees, including\nsuitability screening, background investigations, and security clearances.\n\nTo accomplish our objective, we obtained and reviewed applicable criteria, laws,\nregulations, Postal Service policies and procedures, and other documentation pertaining\nto our objective. We conducted interviews with Postal Service and USPIS personnel at\nheadquarters and at the SISC in Memphis, Tennessee. We also conducted interviews\nwith OPM personnel and other personnel deemed pertinent to this review. We\nbenchmarked with the following federal and private sector entities to obtain an\nunderstanding of their personnel security processes: IRS, SSA, TVA, United Parcel\nService (UPS), and Dalsey, Hillblom, and Lynn (DHL). We selected these entities\nbecause of their: exposure to the public, excepted service status,10 or business in the\nmailing industry. We assured the private sector entities that any information they\nprovided would be used strictly for comparative purposes and would not be directly\nattributed to their organization in our report. As a result, the report does not identify the\nprivate sector entities regarding specific practices, policies, or procedures.\n\nWe conducted this review from July 2007 through February 2008 in accordance with the\nPresident\xe2\x80\x99s Council on Integrity and Efficiency, Quality Standards for Inspections. We\ndiscussed our observations and conclusions with management officials on November\n28, 2007 and included their comments where appropriate.\n\nPrior Audit Coverage\nThe OIG issued three audit reports related to the personnel security process within the\npast 3 years:\n\n     \xe2\x80\xa2   Separation of Duties at the Eagan, Minnesota; San Mateo, California; and St.\n         Louis, Missouri Information Technology and Accounting Service Center\n         (Report Number IS-AR-07-017, dated August 29, 2007) \xe2\x80\x93 This report stated that,\n         generally, policies, procedures, and internal controls were adequate to separate\n         duties for personnel with access to critical information system resources at the\n         data centers. However, controls to determine which career employees required\n         sensitive security clearances needed strengthening. We recommended and\n         management agreed to: assess the risk of the duties of all Information\n         Technology (IT) and Accounting Service Center (ASC) positions; establish\n\n10\n  Excepted service agencies are not subject to the appointment, pay, and classification rules in Title 5, United States\nCode. However, they are subject to veterans\xe2\x80\x99 preference.\n\n\n                                                           7\n\x0cReview of the Postal Service\xe2\x80\x99s                                                  SA-MA-08-001\n Personnel Security Process\n\n\n        periodic reassessment of such risks; establish a central location to maintain a list\n        of sensitive positions; notify the USPIS when new IT and ASC positions are\n        created or a new employee is hired; and appropriately amend the Administrative\n        Support Manual, Issue 13, Chapter 2, Section 272.\n\n    \xe2\x80\xa2   Inspection Service Security Investigations Service Center (Report Number SA-\n        AR-06-002, dated April 20, 2006) \xe2\x80\x93 This report stated that the SISC generally\n        followed policies and procedures for managing and safeguarding closed cases\n        and processing Freedom of Information Act requests. However, opportunities\n        existed to improve the overall management of the background security clearance\n        program, personnel security training, and the 1510 Mail Loss/Rifling Program to\n        better support the USPIS mission. During the audit, SISC staff took corrective\n        actions to address carryovers for background security clearances, personnel\n        security training, and the 1510 Mail Loss/Rifling Program. Management agreed\n        to ensure that SISC personnel receive formal annual and refresher training; and\n        that postal inspectors review all Postal Service Form 1510, Mail Loss/Rifling,\n        complaints before the complaints are destroyed. Management disagreed with\n        establishing a comprehensive management plan to address erroneous data in\n        the Security Clearance Tracking System and reduce its carryover of background\n        investigations.\n\n    \xe2\x80\xa2   Audit of Personnel Security Controls at the Eagan, San Mateo, and St. Louis\n        Information Technology and Accounting Service Centers (Report Number IS-AR-\n        04-011, dated September 8, 2004) \xe2\x80\x93 This report identified no exceptions in the\n        review of initial security clearances and updates for contractors. However, the\n        report concluded that the Postal Service did not consistently obtain security\n        clearance updates for career employees. We recommended that the Vice\n        President, Chief Technology Officer, direct the Security Control Officers in St.\n        Louis and San Mateo to process security clearance updates as required for all\n        Postal Service employees assigned to sensitive positions at the IT and ASCs.\n        Management agreed with the recommendation.\n\n\n\n\n                                              8\n\x0cReview of the Postal Service\xe2\x80\x99s                                                                                                                                SA-MA-08-001\n Personnel Security Process\n\n\n                                                        APPENDIX B: SUITABILITY RESULTS\n                                                         Employee and Contractor Suitability Results\n                                                                                                                              Private Sector          Private Sector\n                         Postal Service                  TVA                       SSA                      IRS\n                                                                                                                                 Entity A                Entity B\n                          District or area HR\n                            office conducts       Personnel security        Suitability security      Personnel security\n                                                                                                                               HR office conducts     HR office conducts\n                           investigation for       office conducts           office conducts           office conducts\n   Background                                                                                                                    investigation in       investigation in\n                         regular employees;         investigation in          investigation in          investigation in\n                                                                                                                              accordance with risk   accordance with risk\n     Checks              contractor or vendor    accordance with risk      accordance with risk      accordance with risk\n                                                                                                                              level for employees    level for employees\n                        conducts investigation   level for employees       level for employees       level for employees\n                                                                                                                                and contractors.       and contractors.\n                              for contract         and contractors.          and contractors.          and contractors.\n                              employees.\n\n                         District HR manager\n                        or designee for Postal    Personnel security                                Labor relations office\n                                                                             Suitability security                                HR office for           HR office for\n                         Service employees;       and suitability office                                for employees;\n   Adjudication          contractor or vendor     for employees and\n                                                                            office for employees\n                                                                                                     personnel security\n                                                                                                                                employees and           employees and\n                                                                              and contractors.                                   contractors.            contractors.\n                              for contract            contractors.                                  office for contractors.\n                              employees.\n\n\n                                                                                                       Every 5 years for\n                                                 No system in place for\n                                                                           No system in place for   employees in high-risk\n                                                  regular employees.\n                        No system in place for                              regular employees.         positions, such as\n                                                   Fingerprint check\n Reinvestigations        regular or contract\n                                                 upon contract renewal\n                                                                             Fingerprint check       criminal investigators   No system in place.     No system in place.\n                             employees.                                      every 5 years for          and executives.\n                                                      for contract\n                                                                            contract employees.       Every 5 years for all\n                                                      employees.\n                                                                                                          contractors.\n\n                                                                                                                                                         Employees and\n                                                                                                                                                      contract employees\n                                                    Policy requiring\n                                                                                                                                                        with unescorted\n    Arrest and                                      employees and\n                                                                                                                                                       airport access are\n                                                  contractors to report\n    Conviction                No policy.\n                                                      arrests and\n                                                                                 No policy.               No policy.               No policy.            subject to TSA\n      Policy                                                                                                                                         policies, which require\n                                                     convictions to\n                                                                                                                                                          them to report\n                                                     management.\n                                                                                                                                                       convictions within\n                                                                                                                                                            24 hours.\n\n\n\n\n                                                                                       9\n\x0cReview of the Postal Service\xe2\x80\x99s                                                                                                                                SA-MA-08-001\n Personnel Security Process\n\n\n                                                APPENDIX C: SECURITY CLEARANCE RESULTS\n                                                Employee and Contractor Security Clearance Results\n                                                                                                                            Private Sector         Private Sector\n                        Postal Service                  TVA                      SSA                      IRS\n                                                                                                                               Entity A               Entity B\n                         FOLLOW OPM                FOLLOW OPM               FOLLOW OPM               FOLLOW OPM\n                            GUIDANCE                  GUIDANCE                 GUIDANCE                 GUIDANCE\n                         Applicants must           Applicants must          Applicants must          Applicants must\n  Background                 undergo a                 undergo a                undergo a                undergo a\n                                                                                                                            No federal security    No federal security\n                            background                background               background               background\n    Checks                                                                                                                     clearances.            clearances.\n                          investigation.            investigation.           investigation.           investigation.\n                      Minimum investigative     Minimum investigative    Minimum investigative    Minimum investigative\n                      requirements correlate    requirements correlate   requirements correlate   requirements correlate\n                           to risk levels.           to risk levels.          to risk levels.          to risk levels.\n\n\n\n                      Security Investigations    Personnel security        Suitability security                             No federal security    No federal security\n  Adjudication           Service Center.              office.                    office.\n                                                                                                  Labor relations office.\n                                                                                                                               clearances.            clearances.\n\n\n\n\n                           Follow OPM                Follow OPM               Follow OPM               Follow OPM           No federal security    No federal security\nReinvestigations            guidelines.               guidelines.              guidelines.              guidelines.            clearances.            clearances.\n\n\n\n\n                                                                                                                                                      Employees and\n                                                                                                                                                    contract employees\n                                                   Policy requiring\n                                                                                                                                                      with unescorted\n   Arrest and                                      employees and\n                                                                                                                                                     airport access are\n                                                 contractors to report                                                      No federal security\n   Conviction               No policy.\n                                                     arrests and\n                                                                               No policy.               No policy.\n                                                                                                                               clearances.\n                                                                                                                                                       subject to TSA\n     Policy                                                                                                                                       policies, which require\n                                                    convictions to\n                                                                                                                                                       them to report\n                                                    management.\n                                                                                                                                                   convictions within 24\n                                                                                                                                                           hours.\n\n\n\n\n                                                                                       10\n\x0cReview of the Postal Service\xe2\x80\x99s                          SA-MA-08-001\n Personnel Security Process\n\n\n                    APPENDIX D: MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                   11\n\x0cReview of the Postal Service\xe2\x80\x99s        SA-MA-08-001\n Personnel Security Process\n\n\n\n\n                                 12\n\x0cReview of the Postal Service\xe2\x80\x99s        SA-MA-08-001\n Personnel Security Process\n\n\n\n\n                                 13\n\x0cReview of the Postal Service\xe2\x80\x99s        SA-MA-08-001\n Personnel Security Process\n\n\n\n\n                                 14\n\x0c'